tracing routes – www.lostpenguin.net

Tracing Internet routes is done by sending probe packets to a target with a TTL (time-to-live) starting at one and increasing it by one-at-a-time. As the TTL hits 0 each gateway where that happens will send a TIME_EXCEEDED message back to the local host and its IP is recorded. When the probe finally hits the target it should get an ICMP “port unreachable” or TCP reset.

The most venerable of the tracing tools is traceroute:

root:/etc> traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 165.225.80.2 (165.225.80.2) 28.760 ms 28.781 ms 28.777 ms
5 195.66.224.125 (195.66.224.125) 28.770 ms 29.789 ms 32.014 ms
6 216.239.47.107 (216.239.47.107) 33.925 ms 216.239.47.95 (216.239.47.95) 16.482 ms
216.239.47.97 (216.239.47.97) 18.969 ms
7 209.85.244.41 (209.85.244.41) 20.180 ms 209.85.244.45 (209.85.244.45) 25.987 ms
216.239.47.135 (216.239.47.135) 27.237 ms
8 googlepublicdnsb.google.com (8.8.4.4) 25.764 ms 24.337 ms 20.102 ms

We can use a few interesting options with this command that make it more adaptable to our needs:

-4 → forces IPv4 when using TCP/UDP
-6 → forces IPv6
-I → uses ICMP probes
-T → uses TCP probes
-U → uses UDP probes (default)
-i <interface> → uses interface as source
-g <gateway> → uses specified gateway rather than default
-f <first_ttl> → sets first ttl to a value other than 1
-m <max_ttl> → max ttl
-p <dest_port> → sets destination port
-n → do not resolve IPs into names

root:/etc> traceroute -4 -T -p 53 -f 1 -m 30 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 googlepublicdnsb.google.com (8.8.4.4) 44.375 ms 45.119 ms 45.559 ms

If we find the output of traceroute awkward and we can get by just with UDP probes (no TCP or ICMP!), then we can also use tracepath / tracepath6:

root:/home/marc> tracepath 52.6.109.9
1?: [LOCALHOST] pmtu 1500
1: www.huaweimobilewifi.com 2.847ms
1: www.huaweimobilewifi.com 2.710ms
2: no reply
3: 10.8.31.85 76.891ms asymm 2
4: 10.8.54.84 57.818ms
5: 213.55.209.5 73.285ms asymm 4
6: zch-b2-link.telia.net 85.552ms asymm 5
7: prs-bb3-link.telia.net 79.185ms asymm 6
8: ash-bb3-link.telia.net 186.930ms asymm 7
9: ash-b1-link.telia.net 169.080ms asymm 8
10: vadata-ic-157230-ash-bb1.c.telia.net 167.240ms asymm 13
11: no reply
[…]

The flags we can use with tracepath are:

-n   -> print IPs and not DNSes
-b    -> print both DNSes and IPs
-l <pkt len>   -> set initial packet length (default 65535 or 128000 for tracepath6)
-m -> max TTL (default 30)
-p       –> port to use (default random)

root:/etc> traceroute -­4 -­T ­-p 53 -­f 1 -­m 30 8.8.4.4 traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 google­public­dns­b.google.com (8.8.4.4) 44.375 ms 45.119 ms 45.559 ms

-n -> print IPs and not DNSes -b -> print both DNSes and IPs -l <pkt len> -> set initial packet length (default 65535 or 128000 for tracepath6) -m -> max TTL (default 30) -p –> port to use (default random)

<< host alive packet sniffing >>

root:/etc> traceroute -4 -T -p 53 -f 1 -m 30 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 googlepublicdnsb.google.com (8.8.4.4) 44.375 ms 45.119 ms 45.559 ms

-n -> print IPs and not DNSes
-b -> print both DNSes and IPs
-l <pkt len> -> set initial packet length (default 65535 or 128000 for tracepath6)
-m -> max TTL (default 30)
-p –> port to use (default random)